chevron_left chevron_right
Login Register invert_colors photo_library

VHostScan filter_list
VHostScan #1
A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017
  • Quickly highlight unique content in catch-all scenarios
  • Locate the outliers in catch-all scenarios where results have dynamic content on the page (such as the time)
  • Identify aliases by tweaking the unique depth of matches
  • Wordlist supports standard words and a variable to input a base hostname (for e.g. dev.%s from the wordlist would be run as dev.BASE_HOST)
  • Work over HTTP and HTTPS
  • Ability to set the real port of the webserver to use in headers when pivoting through ssh/nc
  • Add simple response headers to bypass some WAF products
  • Identify new targets by using reverse lookups and append to wordlist

Product Comparisons:

[Image: featureMap.PNG]

Usage Examples:

$ -t

[Image: Bank%20VHOST%20Example.png]

Port forwarding

Say you have an SSH port forward listening on port 4444 fowarding traffic to port 80 on's development machine. You could use the following to make VHostScan connect through your SSH tunnel via localhost:4444 but format the header requests to suit connecting straight to port 80:

$ -t localhost -b -p 4444 -r 80


If you want to pipe information into VHostScan you can use the - flag:

$ cat bank.htb | -t -

[Image: Bank%20VHOST%20Pipe%20Example.png]

[Image: Vs4P58c.png]


Users browsing this thread: 1 Guest(s)